S/MIME certificates with LDAP-only CRL uri
Werner Koch
wk at gnupg.org
Thu Feb 23 16:09:31 CET 2023
On Thu, 23 Feb 2023 11:22, Alexander Grahn said:
> Should an ldap host answer on ping requests in general? Because the one in
Pinging arbitrary servers does often work because too many admins tend
to block ICMP echo. An LDAP server is commonly behind some load
balancer and thus a ping won't help you anyway.
> question, ldap.dgnservice.de, remains silent. I tried with other hosts picked
Works for me.
$ dirmngr --debug network --fetch-crl 'ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint'
dirmngr[27784.0]: dirmngr_ldap[27786]: found attribute 'certificateRevocationList;binary'
dirmngr[27784.0]: update times of this CRL: this=20230222T230000 next=20230324T230000
dirmngr[27784.0]: locating CRL issuer certificate by authorityKeyIdentifier
dirmngr[27784.0]: DBG: find_cert_bysubject: certificate not in cache
dirmngr[27784.0]: DBG: get_cert_local_ski called w/o context
Thus it could read the CRL (see the update times) but for verification a
certificate is missing. That is a problem with the fetch-crl command of
dirmngr. I will closer at the problem and thus I need to improve the
error reporting.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230223/c971ebe7/attachment.sig>
More information about the Gnupg-users
mailing list